# Default values for headscale.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  registry: ghcr.io
  repository: juanfont/headscale
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

headscale:
  keys:
    # -- Create a new private key, if not exists
    create: true
    # -- Use an existing secret
    existingSecret: ""

  certmanager:
    enabled: true
    dnsNames:
      - example.com
    issuerRef:
      group: cert-manager.io
      kind: ClusterIssuer
      name: letsencrypt-prod
  config:
    listen_addr: ":8080"
    metrics_listen_addr: ":9090"
    grpc_listen_addr: ":50443"

    server_url: http://127.0.0.1:8080

    # SQLite config
    db_type: sqlite3

    # For production:
    db_path: /var/lib/headscale/db.sqlite

    # # Postgres config
    # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
    # db_type: postgres
    # db_host: localhost
    # db_port: 5432
    # db_name: headscale
    # db_user: foo
    # db_pass: bar
    private_key_path: "/etc/headscale/secrets/wireguard.key"
    noise:
      private_key_path: "/etc/headscale/secrets/noise.key"
    # # certs
    # use certmanager instatt of internal acme:
    ## Use already defined certificates:
    tls_cert_path: "/etc/headscale/certs/tls.crt"
    tls_key_path: "/etc/headscale/certs/tls.key"
    derp:
      server:
        enabled: true
        region_id: 999
        region_code: "headscale"
        region_name: "Headscale Embedded DERP"
        stun_listen_addr: "0.0.0.0:3478"
      urls: []
      # - https://controlplane.tailscale.com/derpmap/default
      paths: []
      # auto_update_enabled: true
      update_frequency: 24h
    disable_check_updates: true

prometheus:
  servicemonitor:
    enabled: false
    labels: {}
  rules:
    enabled: false
    labels: {}
    defaults:
      enabled: true
      filter: ""
      lastUpdates:
        critical: 3600
        warning: 600
        info: 300
    additionalRules: []

## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
persistence:
  # Upload (/var/lib/headscale)
  enabled: false
  annotations: {}
  # -- data Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
  #   GKE, AWS & OpenStack)
  storageClass:

  # --  A manually managed Persistent Volume and Claim
  # Requires persistence.enabled: true
  # If defined, PVC must be created manually before volume will be bound
  existingClaim:

  # -- Create a PV on Node with given hostPath
  # storageClass has to be manual
  hostPath:
  accessMode: ReadWriteOnce
  size: 1Gi

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podLabels: {}
podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  annotations:
    # for usage with certmanager (pod certs) and traefik
    # traefik.ingress.kubernetes.io/service.serversscheme: https
    # traefik.ingress.kubernetes.io/service.serverstransport: <namespace>-insecure@kubernetescrd
    # CRD:
    #  apiVersion: traefik.io/v1alpha1
    #  kind: ServersTransport
    #  metadata:
    #    name: insecure
    #  spec:
    #    insecureSkipVerify: true
  port:
    http: 8080
    metrics: 9090
    grpc: 50443
  derp:
    # just if headscale.config.derp.server.enabled
    type: LoadBalancer
    annotations:
    port: 3478

ingress:
  enabled: false
  className: ""
  annotations: {}
    # for usage with certmanager (pod certs) and nginx
    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    #
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}